<p>Hidden files are created automatically by many tools to save user-preferences, well-known examples are <code>.profile</code>, <code>.bashrc</code>,
<code>.bash_history</code> or .<code>git</code>. To simplify the view these files are not displayed by default using operating system commands like
<code>ls</code>.</p>
<p>Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded
secrets.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> Hidden files may have been inadvertently uploaded to the static server’s public directory and it accepts requests to hidden files. </li>
  <li> There is no business use cases linked to serve files in <code>.name</code> format but the server is not configured to reject requests to this
  type of files. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> Disable the serving of hidden files. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/serve-static">Express.js serve-static</a> middleware:</p>
<pre>
let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'allow'});   // Sensitive
app.use(serveStaticMiddleware);
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://www.npmjs.com/package/serve-static">Express.js serve-static</a> middleware:</p>
<pre>
let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'ignore'});   // Compliant: ignore or deny are recommended values
let serveStaticDefault = serveStatic('public', { 'index': false});   // Compliant: by default, "dotfiles" (file or directory that begins with a dot) are not served (with the exception that files within a directory that begins with a dot are not ignored), see serve-static module documentation
app.use(serveStaticMiddleware);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> <a href="https://github.com/mtojek/go-url-fuzzer">github.com/mtojek/go-url-fuzzer</a> - Discover hidden files and directories on a web server.
  </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/538">CWE-538 - File and Directory Information Exposure</a> </li>
</ul>
